« FYI NoVA/DC/MD: InfoSec Career Fair Tomorrow! | Main | Not Your Mama's GRC »

Consumer Computers: The Weakest Link?

There's a new consumer-oriented report out from NSS Labs today, and it's more of the same-old-same-old. Unsurprising, AV suites are not silver bullets, nor are they perfect. Perhaps a bit disturbing is how poor many are at detecting known malware, but it's also a wee bit disconcerting that many claim to stop known exploits and yet seem to fail miserably. Per the report, the average lame criminal has about a 10% chance of being successful with a web malware exploit, and around a 1 in 4 chance of running an exploit past these security tools.

None of us should find this terribly surprising. AV suites are just one piece out of the overall self-protection puzzle. Other key components include regular OS patching, use of host-based firewalls, and use of additional security tools, such as IE8's SmartScreen filtering technology. For that matter, Google's safe search capability helps supplement your own consumer security.

Consumer computer security has always posed an interesting challenge, and has frequently been the source of much heated discussion within the security community. Some argue that operating a car requires a license, and that perhaps so should operating a computer. Unfortunately, because there's generally no risk of fatality from operating a computer, and given the now very personal and portable nature of computing, this becomes a hard sell. Some put a strong burden on the OS and software vendors to produce much better secured products, but this argument eventually hits the wall because of the limitations of software security given that there's no such thing as "perfect" security, and the cost-effectiveness curve quickly peaks.

Microsoft and Comcast have now started advocating taking more proactive stances with consumers who are operating infected computers. Comcast piloted and is currently expanding their "Constant Guardian" service that provides pop-up notifications to customers when they've been found to be infected. There are potential problems with this approach, however, as it opens the door to phishing and other web-based attacks that might produce pop-ups that look similar to those generated by Comcast, but which would lead to (further) compromise.

Microsoft, on the other hand, is advocating for proactive quarantine of infected hosts, akin to the public health model. In this model, when a host is deemed to be "infected" it would then be the responsibility of the ISP to separate the host from the rest of the network, likely only letting them route to known good security sites that could help with repair and recovery.

One thing is clear, and that's the sophistication of the threats facing people today. The best example we can give at the extreme edge is that of the Stuxnet incident affecting numerous SIEMENS-based SCADA systems, and particularly those in Iran and India. The full analysis has not been completed, but it seems to be general consensus today that this highly advanced malware is in effect a weaponized worm deployed by a nation-state specifically to disrupt these energy generation control systems. Rather than viewing this as something scary, we should instead realize just how vulnerable we are to attack and begin adjusting accordingly. Though these control systems are notoriously weak on security, we should consider that if a highly-skilled, highly-motivated threat agent can so thoroughly compromise these systems, then how easy would it be for another skilled threat agent to compromise consumer systems en masse? In fact, as a perfect example, consider the Zeus bot network and how thoroughly its affected consumer systems

All of this leads me to believe that we need to change the rules of the game dramatically. Unfortunately, I don't think we have the right infrastructure in place to support such a wholesale shift in thinking (yet). Specifically, I think we need to see the following:
* Inexpensive Consumer Support: Sure, we have services like GeekSquad, but are these cost-effective for the average user? Consider, for example, if we wanted to expand this out to a quarterly or monthly routine support business. I like to think of this as the "JiffyLube" model for PC support (what I tongue-in-cheek think of as "JiffyTune";). Instead of relying on users to self-service, what if they were given the option to either drop their system off, or have a tech come on-site, to ensure routine updates were applied, clean up any sort of mess, etc. Think of your car service plan and then build a comparable model for PCs. OS vendors have already started this, to a degree, but there are so many applications today that it just doesn't seem reasonable to expect that the average user can cover all bases consistently. Toward that end, we would need more techs to provide this service.

* Blue-Collar PC Support Skills Promotion+Training: The level of skill required to update and maintain a PC is decreasingly complex or high-end. As such, I like to think of this potentially new/expanded market for PC maintenance as being roughly equivalent to blue-collar labor. Pres. Obama has touted the need for retraining people who have lost their jobs. PC maintenance could easily become such an area for skills training, which could greatly expand the number of resources available, which could help drive down costs, and which could help meet the needs that would be created by mandating routine computer maintenance. BTW, please note that I'm not using "blue-collar" here as some sort of derogatory phrase, but to denote a skilled labor practice that requires a level of tech training that is different from something more advanced and academic in nature.

* Mandatory Computer Maintenance: Once the fundamental mechanisms were in place, including affordable computer maintenance support from a new army of technicians, it would then be reasonable to mandate that all systems must be maintained, with the consumer being on the hook from a liability perspective for any damage resulting from their failure to maintain. The parallel here is safety and emissions testing for vehicles that many states now have. Maybe you don't need a sticker for your computer, but you should have to demonstrate that a minimum standard of care has been maintained. The trick would be in fairly regulating things so that a) the system couldn't be gamed, and b) that reasonable maintenance efforts result in a reasonable degree of indemnification (i.e., if I still get popped by an 0-day despite being patched, etc., then I shouldn't be punished). The question, too, is what sort of punishments would be appropriate? Fines? Loss of internet access? Fines could easily be assessed, I think, while denying access would be difficult given how many ways consumers can now access the Internet (computer, mobile devices, Kindle, iPad, etc, etc, etc.).

* Proactive Host Quarantine: The idea of host quarantine is very interesting to me, though I think it needs to be paired with an affordable service option. That is to say, if you're going to quarantine a consumer to prevent further spread of an infection, then they need a reasonable method to repair and maintain their systems going forward. As such, I think Comcast's notification approach is perhaps the best approach today, though the phishing concern is still valid. Once affordable support is available, then quarantine 'em all!

* Consumer-Oriented Action-Impact Awareness Training: Perhaps one of the biggest problems today is the lack of connection between consumer actions and the impact of those actions. If a consumer chooses to visit a sketchy site or download suspicious files, then they're asking for trouble. As a security professional, I generally know how to protect myself, but this is not the case for the average user. As such, it seems that, here during CyberSecurity Awareness Month, it's important to develop training programs that seek to reduce the Human Paradox Gap. Until people can better connect their decisions to actions to consequences to impact, there is little hope for improvement. Certainly, instituting a regulatory regime that made consumers financially liable for poor computer maintenance would help express that impact in a meaningful way. However, I have to wonder if there aren't ways to also better incentive consumers to be proactive and responsible?

In the end, there is no single solution that will magically solve this problem. However, that being said, we need to change our approach, and work to institute a shift in consumer culture. It's not acceptable to maintain the status quo, and it's very likely that the current consumer environment is actually enabling the offensive capabilities of nation-states.

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/1065

Post a comment

About

This page contains a single entry from the blog posted on October 19, 2010 5:43 PM.

The previous post in this blog was FYI NoVA/DC/MD: InfoSec Career Fair Tomorrow!.

The next post in this blog is Not Your Mama's GRC.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.